Ok, so there are still people who would pay it. Great. But then there are people who wouldn't pay it if they thought they wouldn't get their files back. For your argument's sake, let's say that's 10% of the people.

So word gets out that the scammers are "nice" and they'll honor their word. The victims browse for a solution and find out that they can actually get their files back. So the scammers gain another customer - that's another $300 - that they would have otherwise lost. And that's all by doing something very easy: just giving their files back.

So again, the question is: why wouldn't the scammers do it when it's that easy? On the avast link, somebody said they're making $300k+/month on this scam. That's ~1000 people per month. Assuming the 10% that wouldn't pay (a horrible underestimate) - because they thought the scammers won't make good on the ransom - change their minds, that's $30k. Pretend he's worth $95/hr and wrote that feature in 5 hours. For $475, he's pulling in an extra $30k a month. I hate to say it, but it's the right business move.

I'd wager that the vast majority of victims wont "browse for a solution." If the malware is programmed to tell the user something like, "Hello from the FBI. It looks like some Chinese hackers encrypted all of your files. If you pay us, we will unlock your files for you" then the user, who is more than likely about as tech-savvy as a loaf of bread, will gladly pay the fee without doing any sort of investigation. In this scenario, what is the point of being trustworthy? The only thing you're handing over at this point is a potential clue for how to unravel the whole scheme.

I'd wager that the vast majority of victims wont "browse for a solution."

You and I can argue about how stupid the average user is, but let's talk numbers again:

Ok, let's say 1% (the "vast minority") of users is skeptical enough to say, "I'm not sure if I'll get my files back whether or not I pay, so I give up." Those 1% go to "browse for a solution." They find that they can actually get their files back. On 1000 victims a month, that's $3k. At $95/hr, it cost $475 over 5 hours to make an extra $3k a month. Is $3k a month, assuming 1% which I still think is outlandishly low, worth being "trustworthy" at the expense of potentially busting their business (which they are likely shielded from since they're probably in russia or china where they will never be stopped in a million years anyway)? Apparently they seem to think so. Like I said, on their end, it makes the most business sense.

It may be their MO for now, but don't count on it to continue. There is a break-even point where the reduction in income from not sending out the codes is balanced out by the potential for an AV company to get enough of a sample size (of codes) to figure out how to build some sort of program that will unlock all of the infected machines. At this point, almost all of the people who actually look for a solution will find the link to Kaspersky's or AVG's or whoever's unlock software that is available for free. The impulsive baguettes that I know are the majority will pay the ransom regardless of whether or not the malicious party will send them the code. These same people will also pay regardless of whether or not there's an unlock tool available.

So, once again, how much long term value is there in continuing to send out the codes?

lol well if they're counting on doing this until RSA is cracked, they may have all the time in the world. That's pretty long-term. Read up on RSA. If you can find an algorithm to solve factoring, I'm sure they'll give you a Nobel prize. If you can invent a machine that will brute-force the 2048-bit key (3.2317006071311007300714876688669951960444102669 × 10^616 possible keys, says WolframAlpha) in less time than the current age of the universe (15 billion years?), you'll get another Nobel prize.

If breaking the cryptography were that simple, you would never want to buy off of Amazon or use PayPal because the interwebz would be total anarchy; you would never know if you were talking to a legitimate company or getting duped by an imposter.

So once again, they are gaining the "business" of this 1% (for your argument's sake) that is not in the "vast majority" of people who would pay anyway. All because the scammers have made a way for them to get their files back.

GPCode never really caught on, for whatever reason. Hopefully this one and its ilk wont expand very far, either.

Interesting... I just read up on wikipedia for that one. Makes me wish I was into that kind of thing back then, because finding the flaws would have been fun.

I wonder if somebody could stop this cryptolocker by DDoS or something. Apparently it doesn't do anything if it can't get a key from the C2. Imagine if there were a hacker gang in russia or china that STOPPED crime. That would be something